Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!

Notices

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Introduction to Linux - A Hands on Guide

This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.

I have a home network with 4 Win98 clients and one Linux box that I want to set up as a gateway to the net (via a cable modem). I want to be able to restrict my children's internet access in two ways: (1) the time of day they are allowed to surf and (2) some sort of filter for adult content. Can someone point me in the right direction? FYI, my Linux box is an old AMD K6-233 with a 6.4GB drive running Suse Linux 7.1.

Your box sounds more-than adequate for the task, and I personally like your choice of distro.

If your're looking for a software rather than a social solution try the following.

Install whatever Win9x client software for netfiltering.

Try a Google search for 'cbq'. You can set it up to throttle network usage (speed adn access) based on combinations of port assignment, time of day and users. I wouldn't use it for content-based filtering though.

If you want to put the energy into you can just set up Squid and keep extensive logs. Then tell your kids that you know what they are up to. I guess it depends on what your kids are like. IIRC you can limit access by site.

I'm definitely wanting to put energy into the software side...mostly because I know it can be done! I know only a very little about Squid - are there any good resources to check out on how to set it up? Are there any other alternatives to Squid? I've heard that Squid can be a RAM hog and I've only got 64MB....will that be adequate? (on the other hand, RAM is so cheap I should probably get another stick or two).

I managed to get it setup here (more of an experienent than for any real use) without too much difficulty, it definately does allow you do control site access, so you could set it up to filter out say any URL containing XXX etc, but you will probably find yourself editing you're rules quit frequently to gain access to valid sites that contain matchable substrings (say the word Essex would be hit by a simple rule matching URLs that contain the word 'sex'). The other thing that might be useful as far as Squid is concerened is that it will cache the pages that it retrieves, so if your kids visit the same site a few times a day it won't necessarily burn your cable modems bandwidth retrieving the page again, but will return the cached copy.

How are you currently getting out onto the WWW? IP Masquerading I assume? If this is the case then you're kids will simply have the option to turn off the use of the proxy in your browser's config! You might want to stop forwarding attempts to access port 80 on any outside machines, this should effectively stop them, however they could still set their browsers to use your ISPs proxy, in which case they would no longer be going out to port 80 on a machine and be able to look at anything... Fun eh??

The best option would be to not forward any http packets out onto the www, but I don't know how you would do it... Any one on the forum got any ideas on this one?

Originally posted by jmelgin I'm definitely wanting to put energy into the software side...mostly because I know it can be done! I know only a very little about Squid - are there any good resources to check out on how to set it up? Are there any other alternatives to Squid? I've heard that Squid can be a RAM hog and I've only got 64MB....will that be adequate? (on the other hand, RAM is so cheap I should probably get another stick or two).

Squid will use a bit of RAM to say the least if you let it, but all of the RAM details you tend to read assume that you are using Squid to proxy a company or university or something that sorta size. It was running fine on my IDT WinChip-2 233 with 64MB, and that had loads of other crap running too, a lower spec than your box.

I recently tried learning abut ipmasquerading and proxy... I believe that proxy is something specific to applications (applications shud have the logic built in to use a proxy) whereas with IPMasquerading you just configure your network clients to use the linux server as the gateway.
Will disabling 'use proxy server' in the browser disable IP Masq too? My thoughts say that it shudn't...Anyone can clarify this please?

Originally posted by prowzen I recently tried learning abut ipmasquerading and proxy... I believe that proxy is something specific to applications (applications shud have the logic built in to use a proxy) whereas with IPMasquerading you just configure your network clients to use the linux server as the gateway.
Will disabling 'use proxy server' in the browser disable IP Masq too? My thoughts say that it shudn't...Anyone can clarify this please?

Yeah, IP Masquerading (called NAT by everyone else - Network Address Translation) is invisable to the client software. There is no way from the client to disable NAT apart from changing the default gateway. The 'use proxy server' options in your software doesn't make any different. Hence the issue with trying to control WWW access with the proxy - it isn't much use when you can simply sidestep it by setting your software not to use it!

On the subject of default gateways I found that Windows can give some interesting error messages when your default gateway isn't set, but they are application dependent. I changed my network and updated to 10/100 cards all round. If forgot to set my default gateway on my Win98 box. When I tried to get to an external site Opera would report "You may not access that site from this machine", and IE spent ages going around in circles tring all the different domains (.com,.net,.co.uk,etc...) before finally giving up with some cryptic error message... This threw me for a few minutes...

Rather than setting up a Squid proxy system, is there a way to force users off of the system at a certain time? For example, I understand in Win2k Server you can set up allowable times for users to be logged into the system. Is that possible with Linux? If so, I could force the kids off the system and therefore deny access to the net and other system services that way. Is there an easy way to do this?

To use the proxy or IP-Masq/NAT you don't need to be logged in... I imagine you can set a rule for Squid to only allow access at specific times but I don't know of any existing 'nice' way to deny access to the 'gateway' (be it really a proxy, or a forwarder of somekind) based on the time.

bound to be a way, just a case of find the software. I don't imagine it would be that difficult to write a filter that would site on a port and deny packets from specific IPs at specific times. There might even be such features in the 2.4 replacement for IP-chains (damned if I can remember the name!), I certainly haven't come accross it in IP chains.

As for an alternative. There are lots of Proxies... Squid if just about the most fully featured and caches... For a small application that doesn't require caching I'm sure there are lots out there.

Originally posted by jmelgin Rather than setting up a Squid proxy system, is there a way to force users off of the system at a certain time? For example, I understand in Win2k Server you can set up allowable times for users to be logged into the system. Is that possible with Linux? If so, I could force the kids off the system and therefore deny access to the net and other system services that way. Is there an easy way to do this?

with CBQ (more info in the readme i linked to a couple of posts up) you can limit by time of day, ip address (hosts).

I have the same problem with two sons - and I split the problem into two parts.

I spent a few bucks (around 25 I think) on a proprietary Windoze site filter. There are several to choose from and I think even one or two freeware ones these days...

and the easy part is to use Ipchains on the linux gateway to do the time-clock part.

Simply configure 2 or 3 different ipchains files with different rulesets which allow some, none or all the machines (your choice) to access the internet via your linux gateway on the cable. then use good old cron to switch over from one file to another at appropriate times.

At 2000 hrs when small son should be getting ready for bed, cron switches from ruleset one to ruleset two, then at 2130 when Big son should be getting ready for bed, cron runs ipchains with ruleset three and then only mum and dad can surf the net...

The main reason I went this route is that I coldn't find a freeware linux based content filter that was 'up-to-date'. Most of the paid-for Windoze ones include regular updates with the fee so the 'banned lists' keep getting updated.

Hope this helps and if you need help with the ipchains config ping me here.